Linux ksu (kerberized super user) command fails to use cached service (host) tickets... how can I do this?

Benjamin Kaduk kaduk at
Thu Nov 9 08:21:16 EST 2017

On Thu, Nov 09, 2017 at 11:10:12AM +0100, Fabiano Tarlao wrote:
>    - is there a way to populate a Kerberos cache file with a service ticket
>    (for the host) that is compatible with *ksu*?
>    - I have read about *kvno*
>    <>
>    command but I have failed to use it, the documentation does not suffice
>    (for me) and there are no usage examples around, can you explain me how to
>    use it?

kvno is a simple tool that attempts to perform a TGS request for a ticket
for the indicated service principal, and reports the key version number
of that service principal used by the KDC to encrypt the ticket.
It requires a TGT to be present in the cache already, so you would do
your normal kinit, and then `kvno HOST/ at ADDEMO.IT`.

>    - Are there alternatives to *kvno* command in order to perform service
>    ticket requests to TGS (and put it into a cache file)?

Not really.  That is, there are lots of things that will request a
service ticket and put it in the cache as part of their normal operation
(ssh, ldapsearch, etc.), but kvno is the closest to a dedicated tool
for this operation.

>    - Am I doing something wrong? Any tip?

My only guess is that ksu is being confused the the 'initial' service
ticket (i.e., obtained directly from the AS and not the TGS), so that
kinit+kvno would help.  But the ksu codebase is not much fun to go
looking in, so I did not try to check.


More information about the Kerberos mailing list